srd424
srd424
Is it worth considering filesystem metadata? ext4 has a last write time: ``` tune2fs -l /dev/foo | grep 'Last write time' ```
In case anyone's counting, seeing the recv() error messages from #1204 on one of the machines I admin. Would be nice to see it quietened down!
Going off at a slight tangent, Ubuntu 22.04 (jammy) is now out - and doesn't seem to include libssl1.1, so none of the obvious choices (bionic/focal/bookworm) for repositories contain an...
That might make the filters .. long-winded! What I was hoping to do is to to have a filter rule compare the syscall number to the highest known, and if...
It might or might not be reasonable functionality to add to libseccomp as I guess the original problem may occur for multiple users of the library. It looks like it...
> If someone (libseccomp, nspawn, whoever) could return `ENOSYS`, then glibc will try to fallback from the newer syscall, e.g. `openat2`, to the older syscall, e.g. `openat`. Returning `EPERM` to...
I'm under-caffeinated this morning, but would having the ENOSYS handling then give us the possibility to turn large allowlists into small denylists for a possible performance win as well?
To be more specific .. at the moment anyone trying to _securely_ block certain syscalls effectively has to allowlist, because you can't be sure what syscalls a newer kernel might...
Good point - I guess we'd need well defined sets tagged by kernel version for that to work, which does seem to be being discussed a bit.
> I would also suggest that building with `--layers=false` attempting to remove base images, _even ones that were present in local storage before the build started_, is highly unexpected and...